Threat Actors Leverage Claude Code Leak as Social Engineering Lure to Distribute Malicious Payloads via GitHub

Cybercriminals are exploiting the recent Claude Code leak incident by using it as a social engineering tactic to deliver malware through GitHub repositories. The attackers have created trojanized versions of the leaked Claude source code, distributing malicious payloads including Vidar stealer version 18.7 and GhostSocks trojan. The campaign demonstrates rapid opportunistic exploitation of high-profile security incidents, with compromised repositories serving as delivery mechanisms. Organizations are advised to implement Zero Trust architecture to mitigate risks from shadow AI instances and trojanized Claude agents. Multiple GitHub repositories have been identified hosting the malicious code, with command and control infrastructure established across multiple IP addresses and domains.

Pulse ID: 69dcfb8e8ffc72d13aa8e7fe
Pulse Link: https://otx.alienvault.com/pulse/69dcfb8e8ffc72d13aa8e7fe
Pulse Author: AlienVault
Created: 2026-04-13 14:19:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #GitHub #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RCE #Rust #SMS #SocialEngineering #Trojan #Vidar #ZeroTrust #bot #AlienVault